Ransomware, malware, phishing attacks, and PHI email breaches continue to spike in 2021. Malware, the malicious software, is built to exploit chinks in the armor of our operating systems. This can involve pop-up ads or using it as part of a distributed denial-of-service attack. This is why HIPAA Compliant training is so important. Have you ever wondered how other healthcare organizations are training their team on HIPAA Compliance or protecting their email? Well, in this episode, that is what you will find out. Elena Yau, Director of IT and HIPAA Security Officer at FiveAcres is going to give you an in-depth look at their HIPAA compliance processes and procedures.
Elena: Thank you, Sierra. Five Acres is a mental health agency. We've been serving the greater part of LA, and we've been open since 1888. We’re a service agency that has various programs. We work with residential a lot. There are kids that stay with us, particularly during COVID. We have community-based programs, foster care types of programs as well too. But that is our dynamic we work.
Our population for kids is definitely a lot tougher type of kids. It's kind of hard to find placement for these kids. We will try to work with them and with their families as well to try to put them back with their families and establish some kind of permanent living situation for these kids. We're the oldest agency out there that still does residential right now since 1888. We're still here.Sierra: Right? That's nuts. Elena, can you provide some background on yourself and your current role at five acres?
Elena: I'm the Director of IT. I'm also the HIPAA security officer for our agency. So, we oversee a lot of the cyber and infrastructure and that kind of stuff for the agency.Sierra: Okay, great. I did not know that you were in charge of HIPAA for the company, either. I just knew that you were the Director of IT.
Elena: It's one of those hats that you kind of assume when you're the Director of IT for a nonprofit as well, too. I'm proud to be a part of that.Sierra: They pretty much go hand in hand. Can you tell us a little bit more about what you're working on currently?
Elena: Currently, we're working a lot on the practical side of things and looking at our access control and our segmentation. Isolation is a very big part of the defense in depth. That's a very big overhaul that we're trying to put in place. With any other kind of infrastructure, you assume there are always things that you find, “well, that's out of place, and that's out of place.” There's definitely a lot of cleanups that we're working on.
Those are the kinds of things that we have on our plate right now.Sierra: Okay, great. You were talking about how you're the HIPAA guru. So how did you determine that your organization needed to become HIPAA compliant?
Elena: The first important thing is to realize that when it comes to HIPAA compliance, it's not just an IT duty, which it always falls upon is. It's more of like working on a partnership with our leadership and getting them to understand and envision, like, what is the mission of our agency? What what are the important parts and aspects of PHI? What systems touch PHI. We prioritize that as well, too. So getting them on board.
Having at least a leadership sponsor is very important to have that understanding, as you're trying to do things in isolation, as it tries to explain the importance of cyber. The money is always going to be a discussion like, “well, how much is this going to cost?”
We always have this weekly PHI means that we check in on. It's good to involve that sponsor from leadership to then give them an idea of what we're battling against every week. Here's what is going on. This is what we have to address, or some things that we can put in place to mitigate to that, to prevent that, to address that to monitor that. Those are all things that cost money.
Having a proper sponsor is a very important part of what we do in terms of keeping HIPAA compliance and also engaging the communication to raise awareness as well to with our staff.Sierra: In the Paubox whitepapers, we talk a lot about training staff as a challenge of HIPAA compliance. How do you guys train your team on HIPAA compliance?
Elena: We have a lot of little examples that we would create ourselves and we don't really get them involved. We have created a partnership with our training department and creating some practical training. I will try to make it all fun and put some gamification things on there.
There's definitely a lot of things that we're still trying to figure out. Like with the rest of the cyber community, how do you keep your people engaged? How do you make it fun and different? Because you’re able to talk about the technical side of things, you just lose them?Sierra: Oh, yeah, it's like you're on your phone, you're snoring. We have mandatory HIPAA compliance training. I was actually a little bit impressed by how they were trying to engage us and make it fun. They were making it where you can't skip to the next slide; you got to listen to the whole thing, which I think is good. It's good. Elena, Can you talk more about vulnerability scans? And then what your approach currently for this is.
Elena: I thought long and hard about this kind of thing. The vulnerability scanners are great for the traditional sense, but we still have the network just on-prem. Now everybody's working from home, they are fragile. How do you be practical and keep yourself informed about what's going on with everybody at home?
So that's where you have to be very smart about your vendor relationships and finding the right products. Find some kind of behavioral analysis as to what are the things that they need access to, or the things that are normal, what’s not normal.
That's something that we have put in place, and people have been working from home. We're definitely doing a lot of different things towards that as well, too. But as far as a vulnerability scanner, that's gonna be out run as soon as somebody's home and scope out their network. I'm sure we're gonna be like bugging other places.Sierra: I did a podcast in the last couple of months about tips for securing your home network. During the podcast, I was like, “Oh, crap, I haven't done this. Oops, I need to get off the podcast and do this.” Remote work has introduced a whole different bucket of challenges.
Elena: Definitely your attack surface has increased because everybody's working from home. I'm sure every cyber professional has known that and everybody moves very quickly. There's a lot of things that we still are working on. We are aware of how our folks are doing their work, what their tendencies are. We're trying to see ahead of that.Sierra: I've talked about this a lot, but the majority of HIPAA breaches result from unencrypted data and the transmission of unsecured PHI. What spurred your organization's need for HIPAA compliant email?
Elena: When we talked about earlier, like the risk factors may come out HIPAA compliance, and for mental health in any industry, I think litigation is the biggest part and coordinating anything. We're always so reliant on other like voice services or email. Email is the most convenient, but also being the highest threat. We know that phishing is on the rise, ransomware. What is the best way to get into any system is to hack an individual. We do know that our individuals might not be as savvy to understand what is a safe email? What is not? What’s a safe link? What's a safe link? What's a portal that looks safe? What's a portal that doesn't look safe?
So when we thought about all the various portals and for email communication, that was the one struggle that we have to combat with and realize that everybody's going to have a different form of a portal for their email encryption system. That was the biggest complaint about our users is you guys have to get this portal to open up this secure email. We’re like, “do you still have to sign up for this?” We would see numerous tickets like, “I can't sign into this portal” or things like that. I don't really have to deal with that right now.
Email is the most important thing. You really want to remove those barriers for something that is so important. That's why we sought out Paubox and look at what's Paubox all about? When we saw that eliminates all the portals and still gives the user experience, as you just type in the email, and all the email encryption is just proxy through the padlock systems. We don't have to deal with any kind of like manual TLS negotiation. All that thinking is already done for us by Paubox.Sierra: We write about this a lot. It's your removing IT out of the process. Like you said, not being pinged every five minutes when somebody can't log into a portal. User error, too, like we talked about a lot of our Paubox marketing material and a lot of our educational material. User error plays a huge role in PHI breaches. We appreciate you saying all those kind words about Paubox. Elena, where do you see the healthcare industry going in the next ten years?
Elena: When we had our strategic plan, we're like, “telehealth in five years.” But then we knocked it out, like, “Okay, we got to get it done.” By the fifth day, we just went for it, but I can imagine mobile health care is gonna be here to stay. It's not totally evolved now. I can see more mobile healthcare, like PHI being portable as well, too, being able to take your PHI with you and having a unified PHI standard.
We're seeing even government entities are starting to trend towards that. We're working towards it, and getting all the systems to kind of consolidate that way. You can see a lot of wearables are moving towards getting a lot of your information and grabbing it from wearables and putting it into your own consolidated PHI.
I do envision in the in 10 years, a lot of the healthcare systems would be more of a unified platform. You'll have healthcare workers taking their work with them and being able to see patients wherever, whenever. I do see a lot of barriers being removed, but a lot of the system securities and infrastructure will need to catch up with those years as well, too.Sierra: For sure, Elena, thank you again for your time today and listeners. Thank you for joining the HIPAA Critical Podcast. A few announcements. Our next virtual conference is called Paubox Spring Summit 2021, “Secure Communication During a Pandemic.” It will take place virtually on April 6. We are actively looking for event sponsors, and attendance is completely free. If you're interested in attending for free or sponsoring, please send an email to me at firstname.lastname@example.org. We are now also doing monthly zoom social mixers. This is a place for networking for our customers and noncustomers. Each attendee will receive a drink (alcohol or non) of their choice sent to you before the two-hour virtual event. Attendance again is free, and please send an email to email@example.com if you would like to attend. Our next webinar is on February 24 at 10 am PST with the title of “Tips to Improve Email Security for your Practice.” Panelists for this include Dave Ledoux, CIO of Nizhoni Health, Paddy Padmanabhan, CEO of Damo Consulting, and one of our own Greg Hoffman, who is a senior enterprise account executive at Paubox. In the webinar, you will learn tips and best practices to enhance your email security, how to intercept phishing attacks actionable items to keep your email inbox safe key trends related to the evolving email threat landscape, and how to improve user experience. As a reminder, you can listen to other podcasts at www.paubxox.com or subscribe via Apple Podcasts, Spotify, iHeartRadio, Stitcher, or Amazon Music. Thanks again and see you next time.